I spend a lot of the summer at my parents house in Hamar. They have finally gotten a proper internet connection after many years of dodgy radio wan. 1G/1G fiber all the way! I asked an old friend if he had a old cheap NUC or Raspberry Pi laying around. I lucked out, and was soon on my way with a old Intel Nuc. I bought a 2TB ssd and got to thinking.. What is the best way to set this up?

Connecting home

Som quick facts:

  • The NUC is connected directly to the router with cable.
  • WAN connection is dynamic IP address.
  • They got a WAN IP address, no carrier grade NAT shenanigans.
  • Port forwarding is possible on the router.

I have to options in mind:

  1. A wireguard tunnel back to my server.
  2. Portforwarding and dyndns.

pro's and cons.

Option 1No need to portforward.If I lose my Wireguard, I'm not able to get in.
Resilient to changing routers.All hosts that want to back up have to be connected with Wireguard.
Better security.
Option 2Can reach from everywhere.Loose connection if they swap routers.
Not relying on Wireguard setup at my place.Less security.

Optimal route

The optimal way of doing this might be to use ssh with ssh keys and TFA on ddns, and use wireguard for the backups. This would have given the option to login to the server, even if Wireguard for some reason went down. I want to be able to backup from everywhere without setting up VPN, so I went with just the port-forwarding. YOLO, right?

Set up

I went with Alma linux 9, but this should work on all rpm based distros.


I want to use podman with ddclient and cloudflare. Create a Cloudflare API token for the zone here. You should also create a subdomain for your host. Remember to change out fyksen.me with your domain, and YourTokenCode with the token you got from cloudflare.

# Enable linger:
sudo loginctl enable-linger $USER

# Create folder structure:
mkdir -p .config/systemd/user/
mkdir -p container_files/ddclient/

# Add config to ddclient.conf:
cat <<EOL > $HOME/container_files/ddclient/ddclient.conf

daemon=300 # check every 300 seconds
pid=/var/run/ddclient.pid # record PID in file
ssl=yes # use TLS
use=web # get IP with website below
web-skip='ip=' # IP address above is after 'ip='

protocol=cloudflare, \
zone=fyksen.me, \
subdomain.fyksen.me, subdomain2.fyksen.me, subdomain3.fyksen.me

# Create the .service file for ddclient:
cat <<EOL > $HOME/.config/systemd/user/container-ddclient.service
# container-ddclient.service
# autogenerated by Podman 4.4.1
# Thu Jul 20 21:44:23 CEST 2023

Description=Podman container-ddclient.service

ExecStart=/usr/bin/podman run \\
	--cidfile=%t/%n.ctr-id \\
	--cgroups=no-conmon \\
	--rm \\
	--sdnotify=conmon \\
	-d \\
	--replace \\
	--name=ddclient \\
	-e TZ=Europe/Oslo \\
	-e PUID=0 \\
	-e PGID=0 \\
	-v /home/$USER/container_files/ddclient:/config:Z lscr.io/linuxserver/ddclient:latest
ExecStop=/usr/bin/podman stop \\
	--ignore -t 10 \\
ExecStopPost=/usr/bin/podman rm \\
	-f \\
	--ignore -t 10 \\


# daemon reload, start and enable service
systemctl --user enable --now container-ddclient.service 

Fail2ban ssh

This will install epel-release, and fail2ban. Then configure and start fail2ban.

# Install packages
sudo dnf install -y epel-release
sudo dnf install -y fail2ban

sudo cat <<EOL > /etc/fail2ban/jail.local
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

sudo systemctl restart fail2ban.service
sudo systemctl enable fail2ban.service

Check the setup with.

sudo fail2ban-client status


sudo fail2ban-client status sshd


  • Server = this box
  • Client = the client that you are backing up.


# Create the user borg, and set directory for it's home
# This wil also set the correct selinux properties on the dir.
sudo useradd -m -d /var/backup/borg borg
# Install borg backup
sudo dnf install  -y borgbackup
# Create ssh dir
sudo su - borg
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys

Now you are reade to add you public keys from the client in the .ssh/authorized_keys. You should also create directories inside /var/backup/borg that corresponds to your borgmatic config.

sudo su - borg
mkdir all-the-things